Anomaly detection using collaborative filtering
Abstract
Described are techniques for network anomaly detection. The techniques include generating, from network traffic, a plurality of network interactions, where respective network interactions comprise a communication source and a communication destination. The techniques further include generating, for the respective network interactions, a recommendation score using a trained Collaborative Filtering (CF) model. The techniques further include calculating, for the respective network interactions, an outlier score based on the recommendation score. The techniques further include generating a notification identifying an anomaly in the network traffic based on at least one outlier score satisfying a threshold.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method comprising:
generating, from network traffic, a plurality of network interactions, wherein respective network interactions comprise a communication source, a communication destination, and a metric associated with the communication source and the communication destination; generating, for the respective network interactions, a recommendation score using a trained Collaborative Filtering (CF) model; calculating, for the respective network interactions, an outlier score, wherein the outlier score comprises a normalized difference that is determined by taking an absolute value of a difference between the recommendation score and the metric and dividing by a maximal rating; generating a notification identifying an anomaly in the network traffic based on at least one outlier score satisfying a threshold; and automatically performing a cybersecurity mitigation action on one or more network components based on the anomaly.
2 . The method of claim 1 , wherein the metric comprises an amount of data exchanged between the communication source and the communication destination.
3 . The method of claim 1 , wherein the metric comprises a recency of data exchanged between the communication source and the communication destination.
4 . The method of claim 1 , wherein the metric comprises a frequency of interaction between the communication source and the communication destination.
5 . The method of claim 1 , wherein a relatively stronger recommendation score generates a relatively less anomalous outlier score, and wherein a relatively weaker recommendation score generates a relatively more anomalous outlier score.
6 . The method of claim 1 , wherein the communication source comprises an Internet Protocol (IP) address.
7 . The method of claim 1 , wherein the communication source comprises a Media Access Control (MAC) address.
8 . The method of claim 1 , wherein the communication source comprises a host name.
9 . The method of claim 1 , wherein the communication source comprises a username.
10 . The method of claim 1 , wherein the communication source comprises a dynamic Internet Protocol (IP) range.
11 . The method of claim 1 , wherein the communication source comprises a network name.
12 . The method of claim 1 , wherein the communication source comprises a container identifier.
13 . The method of claim 1 , wherein the communication source comprises, for respective network interactions, at least one Internet Protocol (IP) address, at least one Media Access Control (MAC) address, at least one host name, at least one username, at least one dynamic Internet Protocol (IP) range, at least one network name, and at least one container identifier.
14 . The method of claim 1 , wherein the communication destination is an application identifier.
15 . The method of claim 1 , wherein the method is performed by a server implementing network anomaly detection code, and wherein the method further comprises:
metering usage of the network anomaly detection code; and generating an invoice based on metering the usage of the network anomaly detection code.
16 . The method of claim 1 , wherein the communication destination is a destination port.
17 . The method of claim 1 , wherein the cybersecurity mitigation action comprises adjusting a bandwidth Quality of Service characteristic of the one or more network components.
18 . A system comprising:
one or more computer readable storage media storing program instructions; and one or more processors which, in response to executing the program instructions, are configured to perform a method comprising: generating, from network traffic, a plurality of network interactions, wherein respective network interactions comprise a communication source, a communication destination, and a metric associated with the communication source and the communication destination; generating, for the respective network interactions, a recommendation score using a trained Collaborative Filtering (CF) model; calculating, for the respective network interactions, an outlier score, wherein the outlier score comprises a normalized difference that is determined by taking an absolute value of a difference between the recommendation score and the metric and dividing by a maximal rating; generating a notification identifying an anomaly in the network traffic based on at least one outlier score satisfying a threshold; and automatically performing a cybersecurity mitigation action on one or more network components based on the anomaly.
19 . A computer program product comprising one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions comprising instructions configured to cause one or more processors to perform a method comprising:
generating, from network traffic, a plurality of network interactions, wherein respective network interactions comprise a communication source, a communication destination, and a metric associated with the communication source and the communication destination; generating, for the respective network interactions, a recommendation score using a trained Collaborative Filtering (CF) model; calculating, for the respective network interactions, an outlier score, wherein the outlier score comprises a normalized difference that is determined by taking an absolute value of a difference between the recommendation score and the metric and dividing by a maximal rating; generating a notification identifying an anomaly in the network traffic based on at least one outlier score satisfying a threshold; and automatically performing a cybersecurity mitigation action on one or more network components based on the anomaly.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.